Problems with DNS

Hello All……..
We’ve been having problems lately when the vpn connection goes down and I really would appreciate some help to see where the problem is.

We have 3 DC’s, which are also our DNS servers in an AD domain. All DC’s are W2K3 SP1. We have a vpn connection to our root domain which replicates AD and DNS traffic. On our DNS servers we have the forwarders as 3 DNS servers in the root domain and 2 DNS servers for the local ISP.

The problem is that when the VPN tunnel connection in RRAS connection on our ISA server goes down, which happens a couple of times a week usually, no clients can browse the internet because domain names aren’t being resolved, if the IP address is inserted on the browser then there’s no problem. Also the SMTP queue in Our Email (Exchange 2003) is backed up with email. Obviously this seems like a DNS problem to me, but I don’t understand why the local ISP DNS servers aren’t allowing the resolution. I tested them and they are pingable and they resolve domain names through the internet if I connect a pc directly to the external WAN switch, bypassing our ISA server.

I ran a dcdiag /dnsall and /fix and our DNS servers pass without problems.

How can I make sure that when the vpn connection goes down that we can rely on the local ISP DNS servers for our internet browsing and SMTP routing? Could this be a rule in ISA that should be created for this traffic?

I think your last sentence is correct. It sounds like ISA is not allowing DNS queries (or responses) to your ISP. Perhaps the rule is set so that traffic (DNS) is only allowed to your other internal network? An easy way to test that is to enable ISA monitoring and watch it when this problem occurs.

Ive tried again with new ISA access rules allowing DNS protocol inbound/outbound to external/internal and local host and our DNS servers. Ive tried every DNS rule I can think of and still we cant resolve domain names when pinging, no internet browsing and smtp mail queue is forzen with mail building up. We can ping the local ISP's DNS server IP addresses no problem from any pc in the domain, its the resolution fromdomain names thats not working. From our ISA server or any DNS server on our domain if I run an nslookup and type in a url (www.yahoo.com) for example, the connection times out to our DNS servers but as soon as the vpn connection to our AD domain is reconnected everything works fine.

I want to make sure that when the vpn connection in our AD domain is down withthe root domain that at least we can still have our smtp mail and internet web browsing working. Im stuck here. Any suggestions???
Thanks!

Please can you post more details about how the forwarders are set on your DNS servers. Are you using conditional forwarding to the other domain based DNS servers? If so, this would normally be because you have more than one Windows domain - is that the case?

What does the list of forwarders look like when "All other DNS domains" is selected. Is the box ticked that says "Do not use recursion for this domain"?

Which DNS server do workstations use as their preferred DNS server? Is it always the one on the nearest domain controller (i.e. one that can be reached even when VPN is down)?

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Thanks so much for replying, We are a child domain to the parent (root) domain that we have the vpn connection with. On our 3 DNS servers the list of forwarders looks like this when "All other DNS domains" is selected:

Yes, the box is ticked for "Do not use recursion for this domain"? (Although Im not sure what that means)
I dont know much about DNS so I dont know if conditional forwarding is being used to the other domain, but I will investigate that.

Yes, the clients use the 3 internal DNS servers on our domain as the preferred DNS servers but when the VPN goes down there is no name resolution for the internet browsing or smtp mail.

You should *not* include the three other root domain DNS servers in your list of forwarders for "All other DNS domains". You should only have the two ISP DNS servers. That will be the reason why DNS fails for external names whenever the VPN is down.

However, you will probably need to use conditional forwarding to resolve names in local windows domains hosted on remote DC's connected via VPN. Conditional forwarding just means that instead of using the "All other DNS domains", you specify a particular domain name for which any name resolution requests should be forwarded to another DNS server.

Forwarders on DC2 should be set to:
"mydomain.local" -> forward to DC1
"All other DNS domains" -> forward to local ISP DNS servers

To add a conditional forwarder, click the New... button just to the right of the box containing the item "All other DNS domains". Each domain you add will have it's own list of IP addresses in the section called "Selected domains forwarder IP address list" and these are not the same as the list of IP addresses for "All other DNS domains".

Yes, good point. I would guess that resolution failed because the client application timed out before the local DNS server had worked its way through the list of forwarders.

Your list had three internal servers first, then the two ISP servers. It would try them one at a time in the order given. If it has to wait for 5 seconds on each before trying the next one, then you've got at least 15s before it tries the first ISP server. That is probably too long for the client app to wait so it reports that the name cannot be resolved.

As an aside, did you know that Exchange 2003 can be configured to use its own list of DNS servers for SMTP delivery?

That makes sense about the time outs. Yes, I saw that about the Exchange using its own list of DNS servers. We have ours setup to forward all of our SMTP mail through a smart host. Thanks alot for all your help on this, Ive learned some good points. I would like now to read up on how I can strategically setup our DNS servers in the most secure and sensible way. I read somewhere about having only one DNS server point to the internet as a forwarder and use the rest to point to that one, instead of exposing all to the internet on the forward IP's.

I learnt most of what I know about DNS from the book 'Mastering Windows Server 2003' by Mark Minasi. Its a great book and certainly covers the DNS setup that you just mentioned. The only drawback with that book is its size - he tends to repeat himself, gives tons of examples and explains every little detail so using it as a quick reference is hard simply because of the difficulty in finding the right pages. On the other hand reading it from cover to cover would be a lifetime's work!

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network puzzl…

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…

Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers.
Hopes this gives you ideas on visualizing your data in new ways ~
Create a calculated field in a query:
…